What is a AUTH-KEY in the security of the computers?
I'm studying security in computers and in particular the URL Spoofing. I understand that a form of URL spoofing is phishing. Then I read that a countermeasure against phishing is the authentication key. But what is not well hocapito autenticcation key.
On the notes I read:
The key contains a seed related to users, a timer, a secret symmetric key and a counter. There is a timer on the server instead, the same symmetric key is a list of seed -related utilities and also a counter for each user.
When the user clicks the button on the key, it generates an HMAC(Seed||K||Timer||Counter) that is generated on the server in the same way: if there is a match, access is granted.
Clearly, the timer will not be synchronized perfectly, and then the server will generate some codes HMAC with some timer values (depending on the gap between the user and the server timer) and will look for the matching among those.
Each click of the user is recorded by the counter and thus the two are synchronized counter (between server and key). This causes an old code can no longer be used (the counter does not match).
The key does not work if the opponent is particularly noticed and make a session hijacking that is the data you just entered on the phishing site is immediately re-shipped to the actual site of the bank.
It's like a man in the middle, the opponent does an intermediary with its "fake" pages between the bank and the user. It is also for this reason that before carrying out of some significance is often request another password.
The auth-key is a key (consisting of seed, timers, counters and secret symmetric key), which possesses only the client? What is meant by seed? And the counter is related to what? What is a HMAC? How can it be match if the key is secret?
I understood very little. Someone would know explain it in a simple way? Or if there are websites where this subject is treated in a more comprehensive and easy?
I read the Wikipedia page, but I have not found much more.
